Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 11:07

General

  • Target

    f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe

  • Size

    632KB

  • MD5

    d08c8cb40ccb8a4d4ed7085f0fcac3e5

  • SHA1

    2475d4395f39cbc5a9937537078fe78bca37248b

  • SHA256

    f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b

  • SHA512

    fafa3c5059b04bded85ac86a46c1dfdcbc2e7c781d573248e5e7008d6e5a751eeb4764244cc8aa0d76a59adf21fa8837e8c8a8f195d835674866d22039097cf3

  • SSDEEP

    12288:4MrZy90XTnuGCUTLvPQdsFfPay8HC7UZTcsCJ+53D//Uw94d6Yqlrf8eCSXT:ByCHx/XQ0fPa67UVcDJ+53L/Uw94d2lj

Malware Config

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes
  • auth_value

    fb7b36b70ae30fb2b72f789037350cdb

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe
    "C:\Users\Admin\AppData\Local\Temp\f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2397778.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2397778.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4776523.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4776523.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:736
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0121212.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0121212.exe
          4⤵
          • Executes dropped EXE
          PID:3320
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3001777.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3001777.exe
          4⤵
          • Executes dropped EXE
          PID:3564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2397778.exe

    Filesize

    530KB

    MD5

    5061a0d7d94d44fc5bbb962df410c108

    SHA1

    0cafcc2ac6f78b0210c7ce506058358863b67488

    SHA256

    094d87cd8fd3cc88f324f680eac4e338bb582eb504eb5b68606ba35d6d387576

    SHA512

    a17a41883fb3eb27288058d30c9a0c0b0a1b6297b2870c635b2c687ac38b841459ae50eb6ea92e61f016f0f09990775433071432aa2284c5c4d3ae15be3e5703

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4776523.exe

    Filesize

    272KB

    MD5

    8eba0485ac0a7780fa377c00808ad6b8

    SHA1

    c936a0476c63df488bcf97053ff5809f5871b363

    SHA256

    a5bd07211cadf84bce70fd372c65b356ec90df6be3f201eee00943c9406e5c79

    SHA512

    490e67f41d00cc4ec7c76e91ff2b98ce664a74d307affb14637d02203a3410ba73e4b5302d4643350af44bed00cc50ad1d6dc0670e9e452a93ec6fc80cd8ff9b

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0121212.exe

    Filesize

    140KB

    MD5

    92ad6c4dea02f75c3599d4c1f737b929

    SHA1

    193e468583e2793a03c2fbfa111237a8a81a71f9

    SHA256

    8b8bac8aced57e0f790a95915537402dee9d80e4ca3f1a6e96662df86a7b4dcf

    SHA512

    a1cba18844e3b1aa618a32768958b96d7ad58dffef5aa4e14eafb1ed4a32d74a1384b95590f5689d65115fe2221faca244301e8d641caedb1c77f5bc1904f95a

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3001777.exe

    Filesize

    174KB

    MD5

    06d07aa95fc4f476fe3813ee31e1b54c

    SHA1

    04680450a32772111945b06876395f45af500cf1

    SHA256

    090cf3a3f853381105376d3a1d12351c503000f2e8742359c0cb179cb82508fc

    SHA512

    3290f1d11b6b4c891179bb08a6f7ce38088e5a5b851eba167c6807ba5938af6bc33ac7a4b895a97e4896cb9fee49523d0686b0913dc5345e9286b30fcd292568

  • memory/3564-24-0x0000000000790000-0x00000000007C0000-memory.dmp

    Filesize

    192KB

  • memory/3564-25-0x0000000002A20000-0x0000000002A26000-memory.dmp

    Filesize

    24KB

  • memory/3564-26-0x0000000005750000-0x0000000005D68000-memory.dmp

    Filesize

    6.1MB

  • memory/3564-28-0x0000000005130000-0x0000000005142000-memory.dmp

    Filesize

    72KB

  • memory/3564-27-0x0000000005240000-0x000000000534A000-memory.dmp

    Filesize

    1.0MB

  • memory/3564-29-0x0000000005190000-0x00000000051CC000-memory.dmp

    Filesize

    240KB

  • memory/3564-30-0x00000000051D0000-0x000000000521C000-memory.dmp

    Filesize

    304KB